Dibbler - a portable DHCPv6  1.0.2RC1
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
dnssec-sign.h File Reference

DNS message signing. More...

#include "dnsmessage.h"
+ Include dependency graph for dnssec-sign.h:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions

std::string base64_decode (const char *str)
std::string calc_mac (DnsRR &tsig_rr, message_buff message, std::string sign_key, message_buff *extra=NULL)
void print_buff (int size, const unsigned char *buff)
void tsig_from_string (DnsRR *&tsig_rr, std::string &sign_key, const char *keystring)
 get sign parameters from key string
void tsig_from_string (DnsMessage *message, const char *keystring)
 set message sign parameters from key string
DnsRRtsig_record (domainname keyname, unsigned short fudge=600, domainname sign_algorithm="HMAC-MD5.SIG-ALG.REG.INT")
 create sparse TSIG record
void verify_signature (DnsRR *check_tsig, DnsRR *message_tsig, std::string key, message_buff message)
 Verify TSIG signature.

Detailed Description

DNS message signing.

This file contains code related to signing DNS messages and verifying signed messages.

Function Documentation

std::string base64_decode ( const char *  str)

Base64-decode strings

std::string calc_mac ( DnsRR tsig_rr,
message_buff  message,
std::string  sign_key,
message_buff extra = NULL 
)

Calculate message MAC

< Secure Key Transaction Authentication (RFC 2845)

< Any class

void print_buff ( int  size,
const unsigned char *  buff 
)
void tsig_from_string ( DnsRR *&  tsig_rr,
std::string &  sign_key,
const char *  keystring 
)

get sign parameters from key string

Sets the TSIG signing parameters from a key string; see the other tsig_from_string for syntax.

void tsig_from_string ( DnsMessage message,
const char *  keystring 
)

set message sign parameters from key string

Sets the TSIG signing parameters for a DNS message from a key string, which is a string with the format keyname:key[:fudge]. The key is in BASE64 encoded form; if no fudge is given, the default fudge value of tsig_record will be used.

Parameters
messageThe message to set TSIG parameters of
keystringThe key string
DnsRR* tsig_record ( domainname  keyname,
unsigned short  fudge = 600,
domainname  sign_algorithm = "HMAC-MD5.SIG-ALG.REG.INT" 
)

create sparse TSIG record

Creates a TSIG RR with suitable values for use as DnsMessage::tsig_rr in checking and signing of DNS messages.

Parameters
keynameName of the key
fudgePermitted time difference between signing and checking
sign_algorithmAlgorithm used to sign the message (currently, only the default is supported)
Returns
The TSIG record

< Secure Key Transaction Authentication (RFC 2845)

< Any class

void verify_signature ( DnsRR check_tsig,
DnsRR message_tsig,
std::string  key,
message_buff  message 
)

Verify TSIG signature.

Using the original TSIG record and the sign key DnsMessage::sign_key, verify whether the DNS message is correctly signed; if not, an exception will be thrown and the check_tsig's error will be set to indicate the error that occured when checking the DNS message.

If use_orig_mac is set, the MAC from the original message will be included in the check MAC, as dictated by RFC 2845, section 4.2. The original TSIG record's MAC will be updated to match the answer's MAC. The message length this function takes, is the message length without the TSIG record included in the message, as returned by DnsMessage::read_from_data.

Parameters
check_tsigTSIG record to check against
message_tsigTSIG record from the message
keyKey to use
messageBinary representation of message to check

Verify TSIG signature.

Make sure that message_buff is trimmed down to not include TSIG record, as it must be passed in message_tsig.

Parameters
check_tsigTSIG RR from the original message
message_tsigTSIR RR from the response message that we are validating
keythe key used for signing
messagereceived message (without TSIG record)

< Secure Key Transaction Authentication (RFC 2845)

< Secure Key Transaction Authentication (RFC 2845)

< Secure Key Transaction Authentication (RFC 2845)

< Bad key

< Secure Key Transaction Authentication (RFC 2845)

< Secure Key Transaction Authentication (RFC 2845)

< Not authoritative when required

< Secure Key Transaction Authentication (RFC 2845)

< Bad signature

< Bad key

< Bad sign time

< Secure Key Transaction Authentication (RFC 2845)

< Secure Key Transaction Authentication (RFC 2845)

< Secure Key Transaction Authentication (RFC 2845)

< Secure Key Transaction Authentication (RFC 2845)

< Secure Key Transaction Authentication (RFC 2845)

< Bad signature

< Bad signature